Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Managing Third-party Risks to Create and Protect Value

Third-party relationships have the power to affect shareholder value negatively or positively, and even exponentially in relation to the vendor’s size and type of service provided. While the focus of third-party risk management is often on protecting an organization from downside losses, organizations that proactively manage third-party risks across the extended enterprise can achieve a number of benefits, such as increased productivity, contract and asset optimization, flexibility and expanded growth opportunities.

Krissy Davis

In general, a third party is an individual or entity with which the company does business, including customers, partners, agents, affiliates, vendors and service providers. Taken together, these third parties, who may be located in regions around the world, constitute “the extended enterprise.” As the extended enterprise grows and becomes more complex, organizations should consider managing their exposure to the actions of third parties in a strategic and proactive manner.

The challenge is that risk management is often fragmented and decentralized, and despite the increasing focus on risk management, some organizations still do not have a dedicated risk officer. In addition, some organizations have not fully considered how to leverage the so-called three lines of defense—business unit, governance and internal audit—for managing risk and driving performance across the extended enterprise.

“Many organizations approach third-party risk management on an ad-hoc and selective basis through point solutions, addressing prominent pain points such as cyber risk and mandatory regulatory compliance as they arise,” says Krissy Davis, a Deloitte Advisory partner with Deloitte & Touche LLP. “A broad, cross-enterprise view is often missing, with lack of ownership being a common theme. Organizations should consider a broader extended enterprise risk management [EERM] program that emphasizes value creation as well as value protection,” Ms. Davis notes.

Issues related to decentralized risk management can be addressed by an effective EERM model that also creates value by linking the risk management components to business objectives and risk domains across the extended enterprise.

Dan Kinsella

“EERM can be a proactive lever for driving business performance, although some businesses see it mainly as a reactive means of protecting existing worth,” says Dan Kinsella, a Deloitte Advisory partner with Deloitte & Touche LLP. “In order for organizations to leverage their risk management processes to improve performance, it is critical to develop an end-to-end approach for sensing risks systematically throughout the extended enterprise so that vulnerabilities can be addressed proactively,” Mr. Kinsella adds.

Some organizations attempt to “patch the leaks” in managing the extended enterprise as opposed to repairing the whole structure. For example, they may focus on their spend or look for the low-cost provider when engaging a third party, rather than focusing on the vendor’s risk profile, control environment and ability to drive performance.

In addition, for some organizations, taking an end-to-end approach to managing the extended enterprise is challenging because securing executive sponsorship and getting people to take ownership can be an uphill climb. Further, some organizations might consider the task too vast and assume they don’t have the experience and resources to build, execute and sustain a comprehensive third-party oversight program.

“These barriers are more perception than reality,” says Ms. Davis. “It is neither necessary nor possible to do everything at once. It is rather a matter of identifying some practical steps to take toward establishing an EERM program or evolving an existing one.” Organizations can get a sense of what the steps might be by considering the extent to which they have developed EERM capabilities related to strategy and governance, people, process and technology.

Four Cornerstones for Effective EERM

Strategy and governance. Organizations should consider putting in place a formal strategy and governance model for managing third-party risk, which includes assessing the governance model to determine if it is agile and flexible enough to, for example, link its risk management practices to value drivers. Understanding where breakpoints exist in third-party relationships and having a prescribed means of assessing and staying ahead of them should be considered. A model to proactively seek to bridge the gap between business executives and compliance and risk professionals also should be considered.

The people component. Effective EERM programs require active management of relationships, compliance and regulations.For example,organizations should consider assigning dedicated roles for managing third-party risk across the extended enterprise and aligning and strengthening their three lines of defense—business unit, governance and internal audit. Executive ownership of EERM at the enterprise level is important for improving programs, as is keeping employees and third parties current with respect to emerging regulatory requirements.

Effective processes. Procedures and protocols related to how an organization reacts to, or seeks to prevent third-party incidents, can help navigate events that shape the extended enterprise. For instance, organizations can standardize and integrate risk management processes across the enterprise and achieve benefits ranging from more resilient strategies to lower costs and greater operational efficiency. Evolving technologies, market trends and disruptive forces present opportunities and challenges to third-party relationships. Hence, monitoring these factors will contribute to the success or failure of these relationships and meeting the strategic objectives of the organization.

Additionally, organization can work to confirm that appropriate contracts are in place and that third-parties are meeting expectations and complying with contractual commitments. Effective EERM also calls for the ability to readily assess the appropriateness of future delivery models, and for organizations to determine whether executives are confident in their decisions to outsource or insource, as well as build or buy systems.

Technology, data and analytics. Using advanced technology to make informed decisions requires an understanding of the data to which an organization has access and the technology tools it can leverage to make decisions about third-party relationships. Further, effective EERM requires that leaders can access the information to make real-time decisions and are able to monitor and analyze the key performance indicators to support those decisions.

Driving Greater Enterprise Value

Proactive efforts to manage the extended enterprise can lead to revenue opportunities by qualifying an organization to do business with other entities. Such efforts can include an organization tightening its sourcing standards, such as requiring suppliers to abide by international treaties and protocols. From the buyer’s standpoint, well-defined supplier standards, along with governance processes and enabling technologies, can form the backbone of a supply chain compliance optimization program. Such programs not only can seek to ensure third-party adherence to policies and standards but also drive revenue by aligning the extended enterprise with the company’s broader business objectives, such as improving product quality, entering new markets and satisfying customer demands for sustainable sourcing.

“Complexity and resource constraints are no longer sufficient reasons to avoid taking an integrated approach to third-party risk management across the extended enterprise—neither is fear of the unknown,” says Mr. Kinsella.

Related Deloitte Insights

Maximize your impact or maximize your profit? It shouldn’t have to be a mutually exclusive decision, observes Mike Indursky, president of Bliss World and former chief marketing officer of Burt’s Bees. Mr. Indursky discusses how critical it can be to break the right rules to remain relevant and talks about the importance of maximizing benefits to people and the planet, while still generating healthy profits, in this podcast interview with Mike Kearney, a Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP.

Continued uncertainty seems to be leading to a wait-and-see attitude when it comes to risk taking, judging by the sentiment of many of the finance chiefs from the 21 countries and regions whose opinions were captured in the 2017 Q1 Global CFO Signals™ survey report. Geopolitical challenges also are leading to sustained uncertainty among CFOs—but there are small signs of improvement, according to the report from Deloitte Touche Tohmatsu Limited.

CFOs’ aversion to risk appears to be increasing, according to Deloitte’s fourth-quarter 2016 CFO Signals™ survey, with those favoring risk-taking at near survey lows as they wait for clarity around government policy. The survey, which tracks the thinking and actions of 137 CFOs representing many of North America’s largest and most influential organizations, indicated some uncertainty and concern, with respondents frequently mentioning two new themes among their most worrisome risks: uncertain impact of the new U.S. administration and impact of protectionism on global trade.

Views & Analysis

Many executives believe that the manufacturing sector is vulnerable to emerging and dynamic cyber risks, given the industry’s pace of technology change due to innovations in shop floor automation and connected products, according to a study by Deloitte and The Manufacturers Alliance for Productivity and Innovation (MAPI). Learn about escalation frameworks and the type of leadership and talent that are needed to address cyber risks effectively, as well as questions boards can ask to determine how cyber risks are being detected, managed and mitigated.

For the travel, hospitality and leisure sector, external shocks—such as terrorist attacks and the Zika epidemic—are impacting consumer travel decisions and reshaping their travel preferences. At the same time, the sector is increasingly vulnerable to internal risks such as food safety and cybersecurity. Understand how risk management in the sector is being balanced with the need to innovate, and what boards of directors are doing to become more engaged in risk oversight.

The anti-bribery management standards issued by the Geneva-based International Organization for Standardization (ISO) provide automotive companies, as well as global organizations in other sectors, with new guidance and tools that could potentially help mitigate the risks and costs of noncompliance with anti-bribery laws. Learn about the global nature of the new ISO guidance, as well as other considerations for any organization considering incorporating it into their ethics and compliance program.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.